---
# tasklist for setting up Dist Git
#
# This is a bit complex, so I'm dividing it into sections.

# -- Common ----------------------------------------------
# This is very basic stuff that is needed by multiple of the next sections.
- name: Enable the mod_auth_openidc module on rhel8
  copy:
    dest: /etc/dnf/modules.d/mod_auth_openidc.module
    content: |
      [mod_auth_openidc]
      name=mod_auth_openidc
      stream=2.3
      profiles=
      state=enabled

- name: install the needed packages
  package: name={{item}} state=present
  with_items:
  - git
  - httpd
  - mod_ssl
  - mod_auth_gssapi
  - /usr/sbin/semanage
  - mod_auth_openidc
  tags:
  - distgit

- name: install the mod_auth_openidc configuration
  template: src=auth_openidc.conf dest=/etc/httpd/conf.d/auth_openidc.conf
  notify:
  - reload httpd
  tags:
  - distgit

- name: install the http push configuration
  template: src=httppush.conf dest=/etc/httpd/conf.d/httpush.conf
  notify:
  - reload httpd
  tags:
  - distgit

- name: Create suexec wrapper directory
  file: path=/var/www/bin state=directory owner=pagure group=packager
  tags:
  - distgit

- name: Install suexec wrappers
  copy:
    src=suexec-{{item}}.sh
    dest=/var/www/bin/suexec-{{item}}.sh
    owner=pagure
    group=packager
    mode=0755
  with_items:
  - gitolite
  - upload
  tags:
  - distgit

- name: Put in git service config
  copy: src=git@.service dest=/etc/systemd/system/git@.service
  tags:
  - distgit

- name: install the mod_ssl configuration
  copy: src=ssl.conf dest=/etc/httpd/conf.d/ssl.conf
  notify:
  - reload httpd
  tags:
  - distgit

- name: Letsencrypt for pkgs.stg.fedoraproject.org
  include_role: name=letsencrypt
  vars:
    site_name: pkgs.stg.fedoraproject.org
  when: env == 'staging'
  tags:
  - distgit
  - letsencrypt

- name: install the keytab
  copy: src="{{ private }}/files/keytabs/{{env}}/pkgs"
        dest=/etc/httpd.keytab
        owner=apache
        group=apache
        mode=0600
  notify:
  - reload httpd
  tags:
  - distgit

- name: allow httpd to access the files on NFS
  seboolean: name=httpd_use_nfs state=yes persistent=yes
  tags:
  - distgit

- name: allow httpd to access git user content
  seboolean: name=httpd_read_user_content state=yes persistent=yes
  tags:
  - distgit

- name: Secure tmpfs read only
  mount: name=/dev/shm src=tmpfs fstype=tmpfs opts=defaults,size=40G state=present
  tags:
  - distgit

# -- SSH
# We use a wrapper to let packager ssh in while restricting the command they can
# do, this installs that wrapper (which is otherwise configured in sshd_config)

- name: install the ssh_wrapper wrapper script
  copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755
  tags:
    - config
    - distgit
    - ssh
    - basessh

# -- Dist Git --------------------------------------------
# This is the Git setup itself: group, root directory, scripts,...
- name: install dist-git
  package: name={{item}} state=present
  with_items:
  - dist-git
  - dist-git-selinux
  tags:
  - distgit

- name: install the dist-git config
  copy: src=dist-git.conf dest=/etc/dist-git/dist-git.conf
  tags:
  - config
  - distgit

- name: Make sure apache can access the fedora-messasing ca
  acl:
    path: /etc/pki/rabbitmq/git-hooks.ca
    entity: apache
    etype: group
    permissions: r
    state: present
  tags:
  - distgit
  when: inventory_hostname.startswith('batcave')

- name: Make sure apache can access the fedora-messasing crt
  acl:
    path: /etc/pki/rabbitmq/git-hooks.crt
    entity: apache
    etype: group
    permissions: r
    state: present
  tags:
  - distgit
  when: inventory_hostname.startswith('batcave')

- name: Make sure apache can access the fedora-messasing key
  acl:
    path: /etc/pki/rabbitmq/git-hooks.key
    entity: apache
    etype: group
    permissions: r
    state: present
  tags:
  - distgit
  when: inventory_hostname.startswith('batcave')

- name: create the distgit root directory (/srv/git)
  file: dest=/srv/git state=directory mode=0755
  tags:
  - distgit

# These should all map to pkgdb namespaces
- name: create our namespace directories inside there..
  file: dest=/srv/git/repositories/{{item}} state=directory mode=2775 group=packager
  with_items:
  - rpms
  - docker
  - modules
  # Except for these two.  These namespaces are artificially created in the
  # dist-git pkgdb sync scripts.
  - test-rpms
  - test-modules
  - test-docker
  tags:
  - distgit

- name: Install robots.txt files
  copy: src={{item}} dest=/var/www/{{item}}
  with_items:
  - robots-pkgs.txt
  - robots-src.txt
  tags:
  - distgit

- name: install the DistGit related httpd config
  copy: src=git-smart-http.conf dest=/etc/httpd/conf.d/dist-git/git-smart-http.conf
  notify:
  - reload httpd
  tags:
  - distgit

- name: Symlink pkgs-git-repos-list
  copy: src=repolist.conf dest=/etc/httpd/conf.d/dist-git/repolist.conf
  notify:
  - reload httpd
  tags:
  - distgit

- name: schedule the update hook check
  cron: >
    name="check-update-hooks" cron_file="ansible-check-update-hooks"
    minute=0 hour=0 weekday=3
    user=nobody
    job="/usr/local/bin/git-check-perms --check=update-hook /srv/git/repositories"
  tags:
  - distgit

- name: install the two scripts needed for mass-branching
  copy: src={{item}} dest=/usr/local/bin/{{item}} owner=root group=root mode=0755
  with_items:
    - mass-branching-git.py
    - mass-branching-gitolite.py
  tags:
  - config
  - distgit
  - mass-branching

# -- Lookaside Cache -------------------------------------
# This is the annex to Dist Git, where we host source tarballs.
- name: install the Lookaside Cache httpd configs
  template: src={{item}} dest=/etc/httpd/conf.d/dist-git/{{item}}
  with_items:
  - lookaside.conf
  - lookaside-upload.conf
  notify:
  - reload httpd
  tags:
  - distgit
  - sslciphers

- name: create the Lookaside Cache root directory
  file: dest=/srv/cache/lookaside/pkgs state=directory
        owner=apache group=apache
  tags:
  - distgit

- name: set the selinux boolean git_cgi_use_nfs
  seboolean: name=git_cgi_use_nfs persistent=yes state=yes
  tags:
  - distgit
  - config
  - selinux

# Not sure why, but fixes https://fedorahosted.org/fedora-infrastructure/ticket/4825
- name: set the selinux boolean git_system_enable_homedirs
  seboolean: name=git_system_enable_homedirs persistent=yes state=yes
  tags:
  - distgit
  - config
  - selinux

- name: check the selinux context of the Lookaside Cache root directory
  command: matchpathcon /srv/cache
  register: lcachecontext
  check_mode: no
  changed_when: false
  tags:
  - config
  - lookaside
  - selinux
  - distgit

- name: set the SELinux policy for the Lookaside Cache root directory
  command: semanage fcontext -a -t nfs_t "/srv/cache(/.*)?"
  when: lcachecontext.stdout.find('nfs_t') == -1 and env != "staging"
  tags:
  - config
  - lookaside
  - selinux
  - distgit

- name: install the fedora-ca.cert
  copy: src={{private}}/files/fedora-ca.cert dest=/etc/httpd/conf/cacert.pem
  tags:
  - distgit

- name: install the pkgs cert
  copy: src={{private}}/files/pkgs.fedoraproject.org_key_and_cert.pem
        dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
        owner=apache mode=0400
  when: env != "staging"
  tags:
  - distgit

- name: install the pkgs.stg cert
  copy: src={{private}}/files/pkgs.stg.fedoraproject.org_key_and_cert.pem
        dest=/etc/httpd/conf/pkgs.fedoraproject.org_key_and_cert.pem
        owner=apache mode=0400
  when: env == "staging"
  tags:
  - distgit

# Three tasks for handling our selinux policy for upload.cgi
- name: ensure a directory exists for our SELinux policy
  file: dest=/usr/local/share/selinux/ state=directory
  tags: selinux

- name: copy over our custom selinux policy
  copy: src=upload_cgi.pp dest=/usr/local/share/selinux/upload_cgi.pp
  register: selinux_module
  tags: selinux

- name: install our custom selinux policy
  command: semodule -i /usr/local/share/selinux/upload_cgi.pp
  when: selinux_module is changed
  tags: selinux

- name: copy over our custom nfs selinux policy
  copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
  register: nfs_selinux_module
  tags: selinux

- name: install our custom nfs selinux policy
  command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
  when: nfs_selinux_module is changed
  tags: selinux

- name: Install another one of our own SELinux policy
  include_role:
    name: selinux/module
  vars:
    policy_file: files/http_policy.te
    policy_name: http_policy
  tags:
    - selinux

- name: setup grokmirror for repos
  package: name=python3-grokmirror state=installed
  tags:
  - grokmirror
  - pkgs

- name: make dir for grokmirror manifest
  file: path=/srv/git/grokmirror state=directory owner=root group=packager mode=2775
  tags:
  - grokmirror
  - pkgs

- name: set acls for grokmirror
  acl:
    path: /srv/git/grokmirror
    etype: group
    permissions: rwx
    state: present
  tags:
  - grokmirror
  - pkgs

- name: run initial grokmirror run
  command: /usr/bin/grok-manifest -m /srv/git/grokmirror/manifest.js.gz -t /srv/git/repositories/ creates=/srv/git/grokmirror/manifest.js.gz
  when: env != "staging"
  tags:
  - grokmirror
  - pkgs
